Cyber Threat Intelligence 02 March 2026
-
Industrial Sector
- InSAT MasterSCADA BUK-TS
"Successful exploitation of these vulnerabilities may allow remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01 - Copeland XWEB And XWEB Pro
"Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, cause a denial-of-service condition, cause memory corruption, and execute arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10 - Gardyn Home Kit
"Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03
https://www.securityweek.com/critical-flaws-exposed-gardyn-smart-gardens-to-remote-hacking/ - Mobility46 Mobility46.se
"Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08 - EV Energy Ev.energy
"Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07 - SWITCH EV Swtchenergy.com
"Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06 - EV2GO Ev2go.io
"Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04 - CloudCharge Cloudcharge.se
"Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03 - Johnson Controls, Inc. Frick Controls Quantum HD
"Successful exploitation of these vulnerabilities can lead to pre-authentication remote code execution, information leak or denial of service."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01 - Industrial Networks Continue To Leak Onto The Internet
"Industrial operators continue to run remote access portals, building automation servers, and other operational technology services on public IP address ranges. Palo Alto Networks, Siemens, and Idaho National Laboratory describe the scope of that exposure in the Intelligence-Driven Active Defense Report 2026. Cortex Xpanse made over 110 million observations of OT devices exposed to the internet in 2024, a 138% increase over 2023. From those observations, 19,633,628 unique OT devices and services were fingerprinted, a 332% increase over 2023. Those devices were hosted on 1.77 million IPv4 addresses, a 41.6% increase over 2023."
https://www.helpnetsecurity.com/2026/02/27/ot-internet-exposure-cybersecurity-risk/ - Schneider Electric EcoStruxure Building Operation Workstation
"Schneider Electric is aware of a vulnerability in EcoStruxure Building Operation Workstation and EcoStruxure Building Operation WebStation. EcoStruxure Building Operation (EBO) is an open and scalable software platform providing insight, control and management of multiple building systems and devices in one mobile-enabled convenient view. It delivers valuable data for decision-making to improve energy management and increase efficiency for better building performance and comfort, reduced carbon, and more sustainable building environments. Failure to apply the remediations below may risk exposure of local files or denial of service, which could result in data breaches, and operational disruptions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-02 - Yokogawa CENTUM VP R6, R7
"Successful exploitation of these vulnerabilities could allow an attacker to terminate the software stack process, cause a denial-of-service condition, or execute arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-09 - Pelco, Inc. Sarix Pro 3 Series IP Cameras
"Successful exploitation of this vulnerability could allow attackers to gain unauthorized access to sensitive device data, bypass surveillance controls, and expose facilities to privacy breaches, operational risks, and regulatory compliance issues."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02
New Tooling
- IronCurtain: An Open-Source, Safeguard Layer For Autonomous AI Assistants
"Veteran security engineer Niels Provos is working on a new technical approach designed to stop autonomous AI agents from taking actions you haven’t specifically authorized. His open-source software solution, called IronCurtain, aims to neutralize the risk of an LLM-powered agent “going rogue” – whether through prompt injection or the agent gradually deviating from the user’s original intent over the course of a long session."
https://www.helpnetsecurity.com/2026/02/27/ironcurtain-open-source-ai-agent-security/
https://github.com/provos/ironcurtain
Vulnerabilities
- Millions Of Publicly Exposed .env Files Put Internet Services At Risk: A Mysterium VPN Research
"Configuration mistakes rarely look dramatic. A single forgotten deployment rule, an overlooked web server setting, or an uploaded project folder that contains hidden files can quietly make a website’s most sensitive secrets accessible to anyone on the internet. Often, these secrets are stored in environment configuration files called .env files. Researchers here at Mysterium VPN identified over 12 million IP addresses with publicly accessible .env-style files, revealing credentials and tokens, including JWT signing keys, API keys, database passwords, and service tokens. This discovery indicates a significant and persistent digital security hygiene issue affecting companies, developers, and end users across multiple countries and industries."
https://www.mysteriumvpn.com/blog/news/millions-exposed-env-files
https://securityaffairs.com/188590/hacking/12-million-exposed-env-files-reveal-widespread-security-failures.html - OpenClaw Vulnerability: Website-To-Local Agent Takeover
"OpenClaw, the open-source AI agent that rocketed to over 100,000 GitHub stars in five days, has become the default personal assistant for thousands of developers. It runs on their laptops, connects to their messaging apps, calendars, and dev tools, and takes autonomous actions on their behalf. It has also, as we discovered, been trivially vulnerable to hijacking from any website the developer visits. Oasis Security researchers found a vulnerability chain in OpenClaw that allows any website to silently take full control of a developer's AI agent—with no plugins, extensions, or user interaction required. The OpenClaw team classified this as High severity and shipped a fix within 24 hours."
https://www.oasis.security/blog/openclaw-vulnerability
https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html
https://www.bleepingcomputer.com/news/security/clawjacked-attack-let-malicious-websites-hijack-openclaw-to-steal-data/
https://hackread.com/openclaw-vulnerability-openclaw-hijack-ai-agents/
Malware
- Inside a Fake Google Security Check That Becomes a Browser RAT
"A website styled to resemble a Google Account security page is distributing what may be one of the most fully featured browser-based surveillance toolkits we have observed in the wild. Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents—all without installing a traditional app. For victims who follow every prompt, the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording."
https://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-rat - 900 Sangoma FreePBX Instances Infected With Web Shells
"Approximately 900 Sangoma FreePBX instances remain infected with web shells in attacks that exploited a command injection vulnerability starting December 2025. Sangoma FreePBX is a web-based, open source graphical user interface that serves as a widely deployed management tool for Asterisk-based IP telephone systems. The exploited bug, tracked as CVE-2025-64328 (CVSS score of 8.6) and patched in November 2025, impacts the filestore module of the endpoint manager’s administrative interface."
https://www.securityweek.com/900-sangoma-freepbx-instances-infected-with-web-shells/
https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html
https://securityaffairs.com/188679/uncategorized/cve-2025-64328-exploitation-impacts-900-sangoma-freepbx-instances.html - Trojanized Gaming Tools Spread Java-Based RAT Via Browser And Chat Platforms
"Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). "A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar," the Microsoft Threat Intelligence team said in a post on X. "This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution." The attack chain is also designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components."
https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html
https://securityaffairs.com/188639/uncategorized/microsoft-warns-of-rat-delivered-through-trojanized-gaming-utilities.html
https://hackread.com/microsoft-fake-xeno-roblox-utilities-windows-rat/ - How Infostealers Industrialize The Brute-Forcing Of Corporate SSO Gateways
"Recently, the cybersecurity community was alerted to a significant credential stuffing attack targeting F5 devices. The activity was first brought to light by threat intelligence group Defused Cyber, who noted that threat actors were attempting to access F5 infrastructure using seemingly legitimate corporate credentials."
https://www.infostealers.com/article/how-infostealers-industrialize-the-brute-forcing-of-corporate-sso-gateways/ - Moonrise RAT: A New Low-Detection Threat With High-Cost Consequences
"Security professionals rely on early detection signals to prioritize and contain incidents. But what happens when a fully capable RAT generates none? In a recent investigation, the ANY.RUN experts uncovered a new Go-based remote access trojan we named Moonrise. At the time of analysis, it wasn’t detected on VirusTotal and had no vendor signatures tied to it. That’s the problem teams can’t ignore: credential theft, remote command execution, and persistence can be active while static checks stay silent. The result is slower triage, and more escalations."
https://any.run/cybersecurity-blog/cybersecurity-blog/moonrise-rat-detected/ - Emulating The Mutative BlackByte Ransomware
"Since its emergence, BlackByte has targeted organizations worldwide, including entities within U.S. critical infrastructure sectors such as Government, Financial Services, Manufacturing, and Energy. Its early activity prompted a joint advisory from the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS), highlighting the group’s rapid operational expansion. Its tradecraft includes exploiting vulnerabilities such as ProxyShell for initial access, leveraging vulnerable drivers to neutralize security controls, and deploying self-propagating ransomware with worm-like capabilities. Operators frequently abuse Living-off-the-Land Binaries (LoLBins) and legitimate commercial tools to blend malicious activity with normal system operations."
https://www.attackiq.com/2026/02/25/emulating-blackbyte-ransomware/ - CISA Warns That RESURGE Malware Can Be Dormant On Ivanti Devices
"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices. The update focuses on the implant's undetected latency on the appliances and its "sophisticated network-level evasion and authentication techniques" that enable covert communication with the attacker. CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges."
https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/ - Malicious Go “crypto” Module Steals Passwords And Deploys Rekoobe Backdoor
"Socket’s Threat Research Team uncovered a malicious Go module, github[.]com/xinfeisoft/crypto, that imitates the legitimate golang.org/x/crypto codebase but inserts a backdoor in ssh/terminal/terminal.go. That choice was strategic: golang.org/x/crypto is one of the Go ecosystem’s foundational cryptography codebases, maintained by the Go project and widely relied on for primitives and packages such as bcrypt, argon2, chacha20, and ssh, which makes it a high-trust impersonation target in dependency graphs."
https://socket.dev/blog/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor
https://thehackernews.com/2026/02/malicious-go-crypto-module-steals.html - Steaelite RAT Enables Double Extortion Attacks From a Single Panel
"A new remote access trojan called Steaelite is being sold on underground cybercrime networks. The tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard. What makes Steaelite notable is what it bundles together: data theft and ransomware, traditionally separate parts of the cybercrime toolchain, are packaged into one web panel, with an Android ransomware module already in development."
https://www.blackfog.com/steaelite-rat-double-extortion-from-single-panel/
https://www.theregister.com/2026/02/27/double_extortion_whammy_steaelite_rat/ - QuickLens Chrome Extension Steals Crypto, Shows ClickFix Attack
"A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users. QuickLens was initially published as a Chrome extension that lets users run Google Lens searches directly in their browser. The extension grew to roughly 7,000 users and, at one point, received a featured badge from Google. However, on February 17, 2026, a new version 5.8 was released that contained malicious scripts that introduced ClickFix attacks and info-stealing functionality for those using the extension."
https://www.bleepingcomputer.com/news/security/quicklens-chrome-extension-steals-crypto-shows-clickfix-attack/ - What Defenders Need To Know About Iran’s Cyber Capabilities
"With the current Iran crisis at its peak, cyber activity is a relevant part of the threat picture alongside kinetic and political pressure. Iran’s ecosystem includes multiple clusters aligned with state entities, the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as deniable operators and “hacktivist” groups. This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification."
https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/
Breaches/Hacks/Leaks
- 38 Million Allegedly Impacted By ManoMano Data Breach
"Roughly 38 million people were likely impacted by a data breach at European DIY store chain ManoMano after hackers compromised a support portal. The attack occurred in January and was disclosed this week, when ManoMano started notifying the potentially affected customers of the incident. According to the company’s notification, copies of which were shared on X, the data was stolen after a customer service subcontractor was compromised."
https://www.securityweek.com/38-million-allegedly-impacted-by-manomano-data-breach/
https://securityaffairs.com/188582/data-breach/manomano-data-breach-impacted-38-million-customer-accounts.html
https://www.theregister.com/2026/02/27/manomano_breach/ - $4.8M In Crypto Stolen After Korean Tax Agency Exposes Wallet Seed
"Someone jumped at the opportunity to steal $4.4 million in crypto assets after South Korea’s National Tax Service exposed publicly the mnemonic recovery phrase of a seized cryptocurrency wallet. The funds were stored in a Ledger cold wallet seized in law enforcement raids at 124 high-value tax evaders that resulted in confiscating digital assets worth 8.1 billion won (currently approximately $5.6 million). When announcing the success of the operation, the agency released photos of a Ledger device, a popular hardware wallet for crypto storage and management."
https://www.bleepingcomputer.com/news/security/48m-in-crypto-stolen-after-korean-tax-agency-exposes-wallet-seed/ - Claude Didn't Just Plan An Attack On Mexico's Government. It Executed One For a Month — Across Four Domains Your Security Stack Can't See.
"Attackers jailbroke Anthropic’s Claude and ran it against multiple Mexican government agencies for approximately a month. They stole 150 GB of data from Mexico’s federal tax authority, the national electoral institute, four state governments, Mexico City’s civil registry, and Monterrey’s water utility, Bloomberg reported. The haul included documents related to 195 million taxpayer records, voter records, government employee credentials, and civil registry files. The attackers' weapon of choice wasn’t malware or sophisticated tradecraft created in stealth. It was a chatbot available to anyone."
https://venturebeat.com/security/claude-mexico-breach-four-blind-domains-security-stack
https://www.securityweek.com/hackers-weaponize-claude-code-in-mexican-government-cyberattack/
https://securityaffairs.com/188696/ai/claude-code-abused-to-steal-150gb-in-cyberattack-on-mexican-agencies.html
General News
- Ukrainian Man Pleads Guilty To Running AI-Powered Fake ID Site
"A Ukrainian man has pleaded guilty to operating OnlyFake, an AI-powered website that generated and sold more than 10,000 photos of fake identification documents to customers worldwide. 27-year-old Yurii Nazarenko (also known as "John Wick," "Tor Ford," and "Uriel Septimberus") admitted that his OnlyFake subscription-based platform used artificial intelligence to generate realistic-looking counterfeit passports, driver's licenses, and Social Security cards."
https://www.bleepingcomputer.com/news/security/ukrainian-man-pleads-guilty-to-running-ai-powered-fake-id-site/ - DeVry University’s CISO On Higher Education Cybersecurity Risk
"In this Help Net Security interview, Fred Kwong, VP, CISO at DeVry University, outlines how the university balances academic openness with cyber risk. He describes how systems for students are separated from back end operations to limit exposure. Kwong also discusses how student data has changed over the past decade. Data is now centralized in learning management systems, which improves reporting but raises the stakes if a breach occurs. The interview also covers hybrid learning, identity protection, third party connections, and research security. With students logging in from unmanaged devices worldwide, layered controls, strong authentication, and active monitoring are central to protecting accounts and sensitive data."
https://www.helpnetsecurity.com/2026/02/27/fred-kwong-devry-university-higher-education-cybersecurity-risk/ - The CISO Role Keeps Getting Heavier
"Personal liability is becoming a routine part of the CISO job. In Splunk’s 2026 CISO Report, titled From Risk to Resilience in the AI Era, 78% of CISOs said they are concerned about their own liability for security incidents, up from 56% last year. The role carries personal exposure alongside operational accountability, and that shift is influencing how security leaders approach risk, documentation, and board communication. The mandate continues to grow. Nearly all respondents said AI governance and risk management fall under their responsibility. Oversight of generative and other AI systems has joined established duties in detection, response, compliance, and reporting. Many CISOs are responsible for setting internal guardrails around how AI tools are used, what data they can access, and how outputs are reviewed before use in production environments."
https://www.helpnetsecurity.com/2026/02/27/splunk-ciso-liability-risk-report/ - UK Vulnerability Monitoring Service Cuts Unresolved Security Flaws By 75%
"The UK government has claimed it has reduced its backlog of critical vulnerabilities by 75% and reduced cyber-attack fix times by 87%. Serious security weaknesses in public sector websites are fixed six times faster, cutting the average time from nearly two months to just over a week, the UK government said in an update published on 26 February. According to the official statement, the progress comes following the introduction of a specialist government vulnerability monitoring service (VMS), which came about as part of the blueprint for modern digital government policy paper published on January 21."
https://www.infosecurity-magazine.com/news/uk-vuln-monitoring-service-cuts/ - The Case For Why Better Breach Transparency Matters
"Cybersecurity experts are calling for a major shift in how companies handle data breaches and security failures, arguing that greater transparency and specific detail disclosure about how and why they occur is essential if the industry hopes to effectively reduce cyber-risk. At the upcoming RSAC Conference, threat research experts Adam Shostack and Adrian Sanabria will make the case for greater incident transparency and the need for structured feedback loops in cybersecurity, in a session aptly titled "A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency," scheduled for Monday, March 23."
https://www.darkreading.com/cyberattacks-data-breaches/why-better-breach-transparency-matters - Agentic AI: The 2026 Threat Multiplier Reshaping Cyberattacks
"There are several new threats emerging in 2026, though most are coming from groups that we’ve seen before. Ransomware groups like Qilin and Cl0p aren’t new, but they’re moving faster and using more sophisticated tactics. DireWolf and The Gentlemen were observed in 2025 but are becoming high-velocity groups with hundreds of new victims in 2026. One of the most dangerous new threats of 2026 is not a group but a tool that adds new capabilities and enables faster attacks. Threat actors have been using generative AI (GenAI) for years to write and localize phishing content and develop malware to infect their targets."
https://blog.barracuda.com/2026/02/27/agentic-ai--the-2026-threat-multiplier-reshaping-cyberattacks - U.S. Attorney’s Office EDNC Announces Seizure Of $61 Million Dollars’ Worth Of Cryptocurrency
"The United States Attorney’s Office for the Eastern District of North Carolina announced that federal agents seized over $61 million worth of Tether, a cryptocurrency pegged to the U.S. dollar. Investigators traced the seized funds to cryptocurrency addresses allegedly associated with the laundering of criminally derived proceeds stolen from victims of cryptocurrency investment scams, commonly known as a “pig butchering scheme”."
https://www.justice.gov/usao-ednc/pr/us-attorneys-office-ednc-announces-seizure-61-million-dollars-worth-cryptocurrency
https://thehackernews.com/2026/02/doj-seizes-61-million-in-tether-linked.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- InSAT MasterSCADA BUK-TS
